Ir para o conteúdo
fisl 13
25 a 28 de julho
de 2012
Centro de Eventos da PUCRS
Porto Alegre — Brasil

Software Livre Brasil



Provas LPI


Porto Alegre - Rio Grande do Sul - Brasil
 Voltar a Assinatura d...
Tela cheia

Key signing party

26 de Abril de 2012, 0:00 , por Software Livre Brasil - | Ninguém está seguindo este artigo ainda.
Visualizado 4584 vezes

In order to improve the Web of Trust, once more we´ll celebrate, during the International Free Software Forum, a OpenPGP key signing party.

The party will happen in July, 27, friday, in the Espaço Multiuso in the Exhibition Hall and will follow the Projected Zimmermann-Sassaman Protocol aiming at maximum agility.

What party is this??!

For starters: an OpenPGP key is a digital certification which asserts that what you write really comes from you. It also works so people may criptograph something for you, so only you can read.

The original authentication problem ("Are you yourself indeed?") ends up transferred to your key ("Is this key really his/hers?"). the key is easier to be transferred electronically than you, right?


"What ensures this key is really his/hers?"

The problem of making sure the key is really yours belongs to a virtual entity known as the Web of Trust. I may not know you, but I might get a reazonable degree of confidence that this key belongs to you, because it was signed by a specific person... Then, if I know that person, and I am sure that person would never sign a key from someone not known personally, then... got it? It creates, at minimum, a easy reference to be followed: at any time I might ask that one person about you, if you exist, if the person saw your identity before signing your key, etc.

The goal of such a party is to broaden the Web of Trust, increase the likehood of an anthentication beased in the Web of Trust is good.

Got it. How do I join?


Briefly, what you need to know is here:

  • Send your key to the server up to July, 24, 1:00AM-GMT (Obs.: this server accepts only upload):

          bash$ gpg --keyserver --send-keys KeyID
          gpg: sending key KeyID to hkp server

  • Verify if the key entered by trying to send again (you should receive an error type 409):

          bash$ gpg --keyserver --send-keys KeyID
          gpg: sending key KeyID to hkp server
          gpgkeys: HTTP post error 22: url returned error 409 <======See the error here!
          gpg: keyserver internal error
          gpg: keyserver send failed: keyserver error

  • Wait for disclosure of the participant keys list with the hashes here.
  • Print the list and compute yourself your hashes, ticking the apropriate place when they check.
  • Bring to the party two id documents with photo (at least one has to be emitted by a government authority), a copy of your key´s fingerprint, the list that you should have printed and a pen.

Chaves antigas

This is going to be a generic party. Therefore, old keys (DSA 1024, com SHA-1) will be accepted without problems.

However, we strongly recommend that new and stronger keys be generated, taking advantage on the party´s potential to improve the infra-structure of the Web of Trust.

If you own old keys, please, consider taking the 
necessary steps to replace them for stronger keys. If you still don´t own any OpenPGP keys and intends to generate a pair so you can join the party, please create strong keys (at least RSA 2048, SHA256 - see Key Length Site for a discussion about key size)... The previous reference shows how to configure GnuPGP to generate keys (see here a Mini-Howto about the subject).

Didn´t understand anything?

In the webpage of the Key Signing Party Coordination there´s more info.

Tags deste artigo: openpgp web of trust keys key signing